sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-01-23 15:54:24 +03:00
Code Issues Packages Projects Releases Wiki Activity

Implementing option '--where' (Issue #605)

Browse Source
This commit is contained in:
Miroslav Stampar 2014-02-11 16:20:45 +01:00
parent be6767b3b0
commit d05bfdd7dd
5 changed files with 33 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/core/optiondict.py
View File

@ -129,6 +129,7 @@ optDict = {
"tbl": "string", "tbl": "string",
"col": "string", "col": "string",
"excludeCol": "string", "excludeCol": "string",
"dumpWhere": "string",
"user": "string", "user": "string",
"excludeSysDbs": "boolean", "excludeSysDbs": "boolean",
"limitStart": "integer", "limitStart": "integer",

3
lib/parse/cmdline.py
View File

@ -424,6 +424,9 @@ def cmdLineParser():
help="Exclude DBMS system databases when " help="Exclude DBMS system databases when "
"enumerating tables") "enumerating tables")
enumeration.add_option("--where", dest="dumpWhere",
help="Use WHERE condition while table dumping")
enumeration.add_option("--start", dest="limitStart", type="int", enumeration.add_option("--start", dest="limitStart", type="int",
help="First query output entry to retrieve") help="First query output entry to retrieve")

19
lib/utils/pivotdumptable.py
View File

@ -38,6 +38,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):
if count is None: if count is None:
query = dumpNode.count % table query = dumpNode.count % table
query = whereQuery(query)
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if blind else inject.getValue(query, blind=False, time=False, expected=EXPECTED.INT) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if blind else inject.getValue(query, blind=False, time=False, expected=EXPECTED.INT)
if isinstance(count, basestring) and count.isdigit(): if isinstance(count, basestring) and count.isdigit():
@ -83,6 +84,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):
logger.info(infoMsg) logger.info(infoMsg)
query = dumpNode.count2 % (column, table) query = dumpNode.count2 % (column, table)
query = whereQuery(query)
value = inject.getValue(query, blind=blind, union=not blind, error=not blind, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) value = inject.getValue(query, blind=blind, union=not blind, error=not blind, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if isNumPosStrValue(value): if isNumPosStrValue(value):
@ -122,6 +124,8 @@ def pivotDumpTable(table, colList, count=None, blind=True):
else: else:
query = dumpNode.query2.replace("'%s'", "%s") % (agent.preprocessField(table, column), table, agent.preprocessField(table, colList[0]), unescaper.escape(pivotValue, False)) query = dumpNode.query2.replace("'%s'", "%s") % (agent.preprocessField(table, column), table, agent.preprocessField(table, colList[0]), unescaper.escape(pivotValue, False))
query = whereQuery(query)
return unArrayizeValue(inject.getValue(query, blind=blind, time=blind, union=not blind, error=not blind)) return unArrayizeValue(inject.getValue(query, blind=blind, time=blind, union=not blind, error=not blind))
value = _(pivotValue) value = _(pivotValue)
@ -163,3 +167,18 @@ def pivotDumpTable(table, colList, count=None, blind=True):
logger.critical(errMsg) logger.critical(errMsg)
return entries, lengths return entries, lengths
def whereQuery(query):
if conf.dumpWhere and query:
prefix, suffix = query.split(" ORDER BY ") if " ORDER BY " in query else (query, "")
if "%s)" % conf.tbl.upper() in prefix.upper():
prefix = re.sub(r"(?i)%s\)" % conf.tbl, "%s WHERE %s)" % (conf.tbl, conf.dumpWhere), prefix)
elif re.search(r"(?i)\bWHERE\b", prefix):
prefix += " AND %s" % conf.dumpWhere
else:
prefix += " WHERE %s" % conf.dumpWhere
query = "%s ORDER BY %s" % (prefix, suffix) if suffix else prefix
return query

7
plugins/generic/entries.py
View File

@ -42,6 +42,7 @@ from lib.core.settings import NULL
from lib.request import inject from lib.request import inject
from lib.utils.hash import attackDumpedTable from lib.utils.hash import attackDumpedTable
from lib.utils.pivotdumptable import pivotDumpTable from lib.utils.pivotdumptable import pivotDumpTable
from lib.utils.pivotdumptable import whereQuery
class Entries: class Entries:
""" """
@ -175,6 +176,8 @@ class Entries:
else: else:
query = rootQuery.inband.query % (colString, conf.db, tbl) query = rootQuery.inband.query % (colString, conf.db, tbl)
query = whereQuery(query)
if not entries and query: if not entries and query:
entries = inject.getValue(query, blind=False, time=False, dump=True) entries = inject.getValue(query, blind=False, time=False, dump=True)
@ -226,6 +229,8 @@ class Entries:
else: else:
query = rootQuery.blind.count % (conf.db, tbl) query = rootQuery.blind.count % (conf.db, tbl)
query = whereQuery(query)
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
lengths = {} lengths = {}
@ -300,6 +305,8 @@ class Entries:
elif Backend.isDbms(DBMS.FIREBIRD): elif Backend.isDbms(DBMS.FIREBIRD):
query = rootQuery.blind.query % (index, agent.preprocessField(tbl, column), tbl) query = rootQuery.blind.query % (index, agent.preprocessField(tbl, column), tbl)
query = whereQuery(query)
value = NULL if column in emptyColumns else inject.getValue(query, union=False, error=False, dump=True) value = NULL if column in emptyColumns else inject.getValue(query, union=False, error=False, dump=True)
value = '' if value is None else value value = '' if value is None else value

3
sqlmap.conf
View File

@ -458,6 +458,9 @@ col =
# Back-end database management system database table column(s) to not enumerate. # Back-end database management system database table column(s) to not enumerate.
excludeCol = excludeCol =
# Use WHERE condition while table dumping (e.g. "id=1").
dumpWhere =
# Back-end database management system database user to enumerate. # Back-end database management system database user to enumerate.
user = user =